Research examines CVE data highlighting critical vulnerabilities and exposures within OT and IT assets
Chandler, AZ (PR Newswire) – SynSaber, an industrial asset and network monitoring company dedicated to protecting OT and IT systems and defending critical infrastructure, in collaboration with the ICS Advisory Project, published their bi-annual ICS Vulnerabilities report. The report analyzes the Common Vulnerabilities and Exposures (CVEs) reported via CISA ICS Advisories in the first half of 2023, provides insight and identifies notable trends within the sector while comparing the first half of 2023 to previous years.
With the growing regulation of critical infrastructure and the Industrial Control Systems (ICS) that constitute them, there is increasing emphasis on maturing cybersecurity and operations, resulting in a greater focus on vulnerability management. The targeting and exploitation of vulnerabilities within U.S. critical infrastructure have become increasingly more common. This research outlines the entities who report the majority of ICS-related CVEs, which critical infrastructure sectors are most likely to be impacted, as well as the status of the identified vulnerabilities and their severity.
“Every OT environment is unique and purpose-built for a specific mission,” said Jori VanAntwerp, SynSaber Co-Founder and CEO. “As a result, the likelihood of exploitation and impact will vary greatly for each organization. One thing is certain: the number of CVEs reported is likely to continue increasing over time or at least remain steady. It is our hope that this research helps asset owners prioritize when and how to mitigate vulnerabilities in accordance with their own environment.”
Key findings from the ICS vulnerabilities report:
- 34% of the CVEs reported in the first half of 2023 currently have no patch or remediation available from the vendor. This is comparable to the 35% from the second half of 2022 but is a significant increase from the 13% in the first half of 2022.
- The total number of CISA ICS Advisories has decreased by 9.8% when compared to the first half of 2022.
- The total number of CVEs reported via CISA ICS Advisories has also decreased, although very slightly, at a rate of 1.6% when compared to the first half of 2022.
- Manufacturing and Energy were the two critical infrastructure sectors most likely to be impacted by the CVEs reported in the first half of 2023 (37.3% and 24.3%, respectively).
“We’re thrilled to publish this research along with SynSaber,” said Dan Ricci, Founder of the ICS Advisory Project. “Educating and helping companies mitigate vulnerabilities as new trends and findings emerge over time is an ongoing challenge, but as a community, we must come together to better prepare and defend our world’s critical infrastructure.”
To download the report, click here. If you would like to speak more in-depth about the CVE report or any other OT-related topics, CEO Jori VanAntwerp will be at Black Hat next week. To arrange a meeting, contact [email protected].
SynSaber is the simple, flexible, and scalable industrial asset and network monitoring solution that provides continuous insight into the status, vulnerabilities, and threats across every point in the industrial ecosystem, empowering operators to observe, detect and defend OT/IT systems and protect critical infrastructure. SynSaber is privately held with funding from SYN Ventures, Rally Ventures, and Cyber Mentor Fund. Learn more at SynSaber.com.
About The ICS Advisory Project
The ICS Advisory Project is an open-source analysis tool for OT asset owners, CISOs, cybersecurity analysts, and researchers to identify threats and vulnerabilities by product, vendor, and critical infrastructure sector. The project’s interactive dashboards are the result of countless hours of research, analysis, and data enrichment by founder Dan Ricci and community volunteers using CISA ICS Advisories, CVEs, MITRE ATT&CK, and other threat/vulnerability data. The full ICS[AP] dataset is publicly available via a GitHub Repository. Learn more at ICSAdvisoryProject.com.